Title

XFACILIT class, or alternate class if specified in module CKRSITE, must be active. (Cat II impact)

Discussion

The zSecure resource class that is configured for the zSecure access checks must be active to receive valid Allow/Deny responses from external security manager (ESM) resource checks. Activation is outside of zSecure, in the ESM.

Check Content

Run the CARLa command SHOW CKRSITE. The output of this command reveals which resource class is configured for handling the zSecure security checks. The default resource class is XFACILIT. Verify in the class descriptor table that the configured zSecure resource class is active. If the configured zSecure resource class is not active, this is a finding.

Fix Text

Ensure the resource class that is configured in CKRSITE for zSecure security checks is active in the RACF class descriptor table. The default class is XFACILIT. IBM Security zSecure recommends the generic be activated. Following is a sample command: SETROPTS CLASSACT(XFACILIT) or SETROPTS CLASSACT(<configured resource class for access checks>)

Additional Identifiers

Rule ID: SV-259738r961863_rule

Vulnerability ID: V-259738

Group Title: SRG-APP-000516-MFP-000195

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.